Get your NIST 800-53 Risk Assessment framework here! Remediate your SOC 2 risks in weeks, not months! ISO 27001 Risk Assessment with your top ten risks delivered to your team! Our platform manages your cloud risks for you!
There is no other activity that is more abused, mis-sold, or mis-led than risk assessment in the compliance and cybersecurity industry.
As we embark on our risk assessment adventure, we need to determine a few things first:
Who is the audience for the security assessment?
What is the organizational objective(s) or security requirements for the risk assessment.
Where is the assessment taking place, what assets are involved? Are there federal or state legislation that needs to be addressed per site?
Why is your organization performing the assessment?
When does the risk assessment occur, and are there any changes in environment that would demand a risk assessment occurs?
After you answer all these questions you are ready to start the discussion of a risk assessment. A risk assessment should be a qualitative, repeatable systematic methodology (including assets), resulting in quantitative metrics that are communicated and measured by the organization at least annually. With that being said, just like cybersecurity or dieting, there is no silver bullet or “one size fits all” approach to risk assessment. Determining your approach to risk assessment should also include:
Culture of the organization
Maturity of the organization
Legal, Contractual, Security and Privacy requirements.
Annual budget (Creating an operational expenditure as opposed to a capital expenditure)
Remember, as with all things we don’t want to build a million-dollar moat around a two-cent castle.
The most common mistake when shopping for a risk assessment is organizations selling an automated controls assessment, controls assessment or security assessment masqueraded as a risk assessment. If you look at scoping a risk assessment a set of controls (NIST – 171, NIST – 800, HIPAA/HITECH, ISO 27001 etc..) should just be a piece of the puzzle. A set of controls or automated software will not be able to discern your organizational or business model, the assets involved, the legal regulatory landscape, the profit and loss, or the risk appetite of your organization.
You’re probably wondering what is a controls assessment? A controls assessment is a binary assessment (1 or 0, you either comply or you don’t) that resembles a readiness or gap assessment. Like I mentioned above, the assessment can be any set of controls (HIPAA, SOC2 Type 1, or SOC2 Type 2 to name a few) or even a hodge podge of controls like HITRUST. A controls assessment does not include organizational assets, a methodology, or an organizationally defined risk appetite.
The major risk methodologies in the information asset space are the FAIR methodology, the COSO ERM, ISO 31000, ISO 27005, and NIST 800-30. These control sets require organizational input and direction, approvals strait from the top of the organization (up to or including board-level involvement), Confidentiality, Integrity, and Availability impact analysis, a defined repeatable process, quantification of risk, a defined acceptable risk appetite (determined by the organization), and most importantly the people, process, and technology (assets) that support the organization.
Anyone that tells you that an automated tool will analyze all your risk is just misinforming you. A set of controls is not risk management. A top ten delivered by a third party doesn’t even come close to understanding what real risks are involved with your organization, or even address a good portion of the risk in your environment. Due diligence, and stakeholder commitments require much, much more.
Compliance is not risk management; however a good risk management program can be compliant.
Risk is both a noun and a verb, risk assessment and treatment are verbs, and a control assessment or automated tool is a noun. Risk management requires actionable intelligence, to make an informed decision. Avoid the hype, a control assessment or automated tool just plain can’t hack it. If you are going to spend the money, use it to save money – not check a box.
~Wil
Comments